1. Introduction to UK Data Protection Law
2. Definitions
3. Principles of the UK GDPR
4. Lawful Processing
5. Individual Rights
6. Operational Policies & Procedures – The Context
7. Personnel
8. Collecting & Processing Personal Data
9. Information Technology
10. Data Subjects
11. Privacy Impact Assessment
12. Third Party Access to Data
13. Data Breach
14. Privacy Policy & Privacy Notices

The EU introduced the General Data Protection Regulation ("GDPR"), which took effect on 25 May 2018 and significantly enhanced the former data protection legislation. The GDPR has retained EU law status, which means that the version of the GDPR that applied on 1 January 2021 continues to apply in the UK despite its withdrawal from the EU. In this policy we refer to the retained EU law version of the GDPR as the “UK GDPR”. The Data Protection Act 2018 ("DPA") sits alongside and supplements the UK GDPR.

Under the DPA UK GDPR, Adult Literacy Trust (or "ALT") is required to comply with a series of obligations. These obligations are set out below. We have separate Privacy Notices for Participants and Trustees that set out how and why Adult Literacy Trust collect, use and store Personal Data.

The definitions of terms used in this policy are the same as the definitions of those terms detailed in Article4 of the UK GDPR.

Data Controller

A Data Controller is the natural or legal person, or other body which, determines the purposes and means of the processing of personal data.

Data Processor

A Data Processor is a natural or legal person, or other body which processes personal data on behalf of the Data Controller.

Data Subject

A Data Subject is an identifiable natural person about whom ALT holds Personal Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name (amongst others) or one or more factors specific to the identity of that natural person.

Personal Data

Personal Data is any information relating to an identified or identifiable natural person

Contact Information

For the purposes of this policy, “Contact Information” means any or all of the person’s: full name (including any preferences about how they like to be called); full postal address; telephone and/or mobile number(s); e-mail address(es); social media IDs/UserNames (e.g.: Facebook, Skype, WhatsApp).

The UK GDPR requires Personal Data be processed in accordance with certain principles. For example, Personal Data should be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and only for those purposes
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. kept in a form which allows the Data Subject to be identified from it for no longer than is necessary and
6. processed in a manner that ensures appropriate security of the personal data

Adult Literacy Trust is committed to obtaining, holding and processing all Personal Data in accordance with the UK GDPR and the DPA for the following lawful purposes.

Personal Data collected, held and processed will include Contact Information (as defined in 2 above).

4.1 By Consent

Subject to a Data Subject's consent, ALT may process Personal Data of that Data Subject. This includes when Data Subject's opt into receiving updates on activities of ALT.
Note: this will not involve providing the person’s personal data to another organisation.

The data collected may also contain details of any particular areas of interest about which the person wishes to be kept informed.

The data provided will be held and processed solely for the purpose of providing the information requested by the person.

4.2 By Contract

ALT may process Personal Data of those who sell goods and/or services to, and/or purchase goods and/or services from Adult Literacy Trust.

The data collected may also contain details of: a) The goods/services being sold to, or purchased from Adult Literacy Trust; b) Bank and other details necessary and relevant for the performance of the contract e.g. to the make or receive payments for the goods/services being sold to, or purchased from Adult Literacy Trust.

The data provided will be held and processed solely for the purpose of managing the performance of the contract between Adult Literacy Trust and the supplier or purchaser of the goods/services, regulated by the contract.

4.3 By Legal Obligation

ALT may process Personal Data where there is a legal obligation on Adult Literacy Trust to collect, process and share data with a third party – e.g., the legal obligations to collect, process and share with HM Revenue & Customs payroll information on employees of Adult Literacy Trust.

The data provided will be held, processed and shared with others solely for the purpose meeting Adult Literacy Trust’s legal obligations.

Employment Data - In an employment context, there may be additional Personal Data which the Adult Literacy Trust is required to collect, process, and share with a third party on the basis that it is a legal obligation to do so, for example tax and PAYE data. Where applicable, ALT will communicate details of such additional Personal Data with employees.

4.4 By Vital Interest

Adult Literacy Trust does not undertake activities that require the collection, holding and/or processing of Personal Data in order to protect the vital interests of a Data Subject.

4.5 By Public Interest

Adult Literacy Trust do not carry out tasks in the public interest which would require the collection, holding and/or processing of Personal Data

4.6 Legitimate Interest

Volunteers, Including Trustees
In order to be able to operate efficiently, effectively and economically, it is in the legitimate interests of Adult Literacy Trust to hold such Personal Data on its volunteers and Trustees as will enable Adult Literacy Trust to communicate with its volunteers on matters relating to the operation of the charity, e.g.:

• the holding of meetings;
• providing information about Adult Literacy Trust’s activities – particularly those activities which, by their nature, are likely to be of particular interest to individual volunteers/Trustees;
• seeking help, support and advice from volunteers/Trustees, particularly where they have specific knowledge and experience;
• ensuring that any particular needs of the volunteer/Trustee are appropriately and sensitively accommodated when organising meetings and other activities of Adult Literacy Trust.

Closed Circuit TV (CCTV) Recording

Adult Literacy Trust may collect video CCTV images of people entering and moving around its premises in order to safeguard its collection from theft and vandalism, as may be required by its insurers.

Note: The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

5.1 The right to be informed {Arts 12-14}

When collecting personal data from the data subject Adult Literacy Trust will provide to the data subject a Privacy Notice containing the following information:

• Identity and contact details of the controller
  Note: where the organisation has a controller’s representative and/or a data protection officer, their contact details should also be included
• Purpose of the processing and the lawful basis for the processing
• The legitimate interests of the controller or third party, where applicable
• Categories of personal data
• Any recipient or categories of recipients of the personal data
• Details of transfers to third country and safeguards
• Retention period or criteria used to determine the retention period
• The existence of each of data subject’s rights
• The right to withdraw consent at any time, where relevant
• The right to lodge a complaint with a supervisory authority
• The source the personal data originates from and whether it came from publicly accessible sources
• Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
• The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

In the case that the data are not obtained directly from the data subject, the information will be provided within a reasonable period of Adult Literacy Trust having obtained the data (within one month), or,
if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or,
if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

5.2 The right of access {Art:15}

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in Adult Literacy Trust’s relevant policies.

5.3 The right to rectification {Art:16}

The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.

5.4 The right to erase {The right to be forgotten} {Art:17}

Except where the data are held for purposes of legal obligation or public interest (4.3 or 4.5) the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her. Note: This provision is also known as “The right to be forgotten”.

5.5 The right to restrict processing {Art:18}

Where there is a dispute between the data subject and the controller about the accuracy, validity or legality of data held by Adult Literacy Trust, the data subject shall have the right to require the Controller to cease processing the data for a reasonable period of time to allow the dispute to be resolved.

5.6 The right to data portability {Art:20}

Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject shall have the right to require the controller to provide him/her with a copy in a structured, commonly used and machine-readable format of the data which he/she has provided to the controller and have the right to transmit those data to another controller without hindrance.

5.7 The right to object {Art:21}

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him/her which is based on either public interest or legitimate interest grounds (4.5 or 4.6), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest, at the time of the first communication with the data subject, the right referred to in paragraphs a) and b) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5.8 Rights in relation to automated decision making and profiling. {Art:22}

Except where it is: a) based on the data subject’s explicit consent, b) necessary for entering into, or performance of, a contract between the data subject and a Data Controller; or c) when the decision is authorised by law, the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

Operational Policies and Procedures

Adult Literacy Trust is a small charity holding just a small amount of non-sensitive data on a small number of people.

The Trustees understand and accept their responsibility under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) to hold all personal data securely and use it only for legitimate purposes with the knowledge and approval of the data subjects.

By the following operational policies and procedures, the Trustees undertake to uphold the principles and requirements of the UK GDPR and the DPA in a manner that is proportionate to the nature of the personal data held by Adult Literacy Trust. The policies are based on the Trustees’ assessment, in good faith, of the potential impacts on both Adult Literacy Trust and its data subjects of the personal data held by Adult Literacy Trust being stolen, abused, corrupted or lost.

7.1 Data Protection Officer

In the considered opinion of the Trustees the scope and nature of the personal data held by Adult Literacy Trust is not sufficient to warrant the appointment of a Data Protection Officer.

Accordingly, no Data Protection Officer is appointed.

7.2 Data Controller

The Board of Trustees is the Data Controller for Adult Literacy Trust.

7.3 Data Processor

The Board of Trustees will appoint at least 2 and not more than 5 of its number, or other appropriate persons, to be the Data Processors for Adult Literacy Trust.

Adult Literacy Trust will not knowingly outsource its data processing to any third party (e.g., Google G-Suite, Microsoft OneDrive) except as provided for in the section "Third Party Access to Data".

7.4 Access to Data

Except where necessary to pursue the legitimate purposes of Adult Literacy Trust, only the Data Processors shall have access to the personal data held by Adult Literacy Trust.

7.5 Training

The Board of Trustees and Data Processors will periodically undergo appropriate training commensurate with the scale and nature of the personal data that Adult Literacy Trust holds and processes under the UK GDPR and the DPA.

Adult Literacy Trust collects a variety of personal data commensurate with the variety of purposes for which the data are required in the pursuit of its charitable objects.

All personal data will be collected, held and processed in accordance with the relevant Data Privacy Notice provided to data subjects as part of the process of collecting the data.

A Data Privacy Notice will be provided, or otherwise made accessible, to all persons on whom Adult Literacy Trust collects, holds and processes data covered by the UK GDPR and the DPA. The Data Privacy Notice provided to data subjects will detail the nature of the data being collected, the purpose(s) for which the data are being collected and the subject’s rights in relation to Adult Literacy Trust’s use of the data and other relevant information in compliance with the prevailing UK GDPR and DPA requirements.

9.1 Data Protection by Design/Default

Inasmuch as:

1. none of Adult Literacy Trust’s volunteer Trustees are data protection professionals;
2. it would be a disproportionate use of charitable funds to employ a data protection professional, given the scale and nature of the personal data held by Adult Literacy Trust;
   
   the Trustees will seek appropriate professional advice commensurate with its data protection obligations whenever:
3. they are planning to make significant changes to the ways in which they process personal data;
4. there is any national publicity about new risks (e.g., cyber attacks)

which might adversely compromise Adult Literacy Trust’s legitimate processing of personal data covered by the UK GDPR and the DPA.

Personal data will never be transmitted electronically (e.g., by e-mail) unless securely encrypted.

9.2 Data Processing Equipment

Given the scale and nature of the personal data held by Adult Literacy Trust, it is not proportionate for Adult Literacy Trust to purchase dedicated computers for the processing of personal data.

Instead Adult Literacy Trust will purchase and own not more than 5 removable storage devices to store the personal data that it holds and processes. The removable storage devices will also act as backup devices. These may be encrypted for security.

Whilst the data will be processed on the computers/laptops to which the Data Processors have access, no personal data covered by the UK GDPR and the DPA will be stored on those computers/laptops. All interim working data transferred to such computers/laptops for processing will be deleted once processing has been completed.

When not in use the removable storage devices will be kept in a secure location and reasonably protected against accidental damage, loss, avoidable theft or other misuse by persons other than the Data Processors.

The Data Controller & Data Processors will keep a register of:

1. the location of all removable devices used for the storage and processing of personal data;
2. each occasion when the data on each device were accessed or modified and by whom.

Adult Literacy Trust’s removable storage devices shall not be used for the storage of any data which are unrelated to Adult Literacy Trust’s processing of personal data.

9.3 Data Processing Location

Data Processors shall only process Adult Literacy Trust’s personal data in a secure location, and not in any public place, e.g., locations whether the data could be overlooked by others, or the removable data storage devices would be susceptible to loss or theft.

Computers/laptops in use for data processing will not be left unattended at any time.

9.4 Data Backups

To protect against loss of data by accidental corruption of the data or malfunction of a removable data storage device (including by physical damage), all Adult Literacy Trust’s personal data shall be backed up periodically and whenever any significant changes (additions, amendments, deletions) are made to the data.

Backup copies of the data shall be held in separate secure locations which are not susceptible to common risks (e.g., fire, flood, theft).

As far as is reasonably practical, all files containing personal data covered by the UK GDPR and the DPA will be encrypted. The encryption keys will be held securely in a location which is separate from the data storage media.

9.5 Obsolete or Dysfunctional Equipment (Disposal of Removable Storage Media)

Equipment used to hold personal data, whether permanently or as interim working copies, which come to the end of their useful working life, or become dysfunctional, shall be disposed of in a manner which ensures that any residual personal data held on the equipment cannot be recovered by unauthorised persons.

Inasmuch as:

1. this will be a relatively infrequent occurrence;
2. techniques for data recovery and destruction are constantly evolving;
3. none of the Trustees have relevant up-to-date expert knowledge of data cleansing;

equipment which becomes obsolete or dysfunctional shall not be disposed immediately. Instead it will be stored securely while up-to-date expert advice on the most appropriate methods for its data cleansing and disposal can be sought and implemented.

10.1 The Rights of Data Subjects

In compliance with the UK GDPR and the DPA Adult Literacy Trust will give data subjects the following rights. These rights will be made clear in the relevant Data Privacy Notice provided to data subjects:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right of erasure {LO} Also referred to as "The right to be forgotten"
• the right to restrict processing;
• the right to data portability; {LO} {LI}
• the right to object; {SC} {Co} {LO}
• the right not to be subjected to automated decision making, including profiling.

The above rights are not available to data subjects when the legal basis on which Adult Literacy Trust is holding & processing their data are: {SC} Subject Consent; {Co} Contractual obligation {LO} Legal Obligation {LI} Legitimate Interest

10.2 Rights of Access, Rectification and Erasure

Data subjects will be clearly informed of their right to access their personal data and to request that any errors or omissions be corrected in an expedited manner.

Such access shall be given and the correction of errors or omissions shall be made free of charge provided that such requests are reasonable and not trivial or vexatious. There is no prescribed format for making such requests provided that:

1. the request is made in writing, signed & dated by the data subject (or their legal representative);
2. the data claimed to be in error or missing are clearly and unambiguously identified;
3. the corrected or added data are clear and declared by the subject to be complete and accurate.

It will be explained to subjects who make a request to access their data and/or to have errors or omissions corrected, or that their data be erased, that, while their requests will be actioned as soon as is practical there may be delays where the appropriate volunteers or staff to deal with the request do not work on every normal weekday.

Where a data subject requests that their data be rectified or erased the Data Controller and Data Processor will ensure that the rectifications or erasure will be applied to all copies of the subject’s personal data including those copies which are in the hands of a Third Party for authorised data processing.

10.3 Right of Portability

Adult Literacy Trust will only provide copies of personal data to the data subject (or the data subject’s legal representative) on written request.

Adult Literacy Trust reserves the right either:

1. to decline requests for portable copies of the data subject’s personal data when such requests are unreasonable (i.e., excessively frequent) or vexatious; or
2. to make a reasonable charge for providing the copy.

10.4 Data Retention Policy

Personal data shall not be retained for longer than:

1. In the case of data held by subject consent: the period for which the data subject consented to Adult Literacy Trust holding their data;
2. in the case of data held by legitimate interest of the charity: the period for which that legitimate interest applies. For example: in the case of data subjects who held a role, such as a volunteer, with Adult Literacy Trust the retention period is that for which Adult Literacy Trust reasonably has a legitimate interest in being able to identify that individual’s role in the event of any retrospective query about it;
3. in the case of data held by legal obligation: the period for which Adult Literacy Trust is legally obliged to retain those data.

Adult Literacy Trust shall regularly – not less than every 6 months – review the personal data which it holds and remove any data where retention is no longer justified. Such removal shall be made as soon as is reasonably practical, and in any case no longer than 20 working days (of the relevant Data Processor) after retention of the data was identified as no longer justified.

11.1 Trustees' Data

The volume of personal data is very low – fewer than 15 individuals. The sensitivity of the data is low-moderate: the most sensitive data being date of birth, previous names and previous addresses. The risk of data breach is small as the data are rarely used, with the majority of the data being held for a combination of legal obligation and legitimate interest.
Overall impact: LOW

11.2 Volunteers'/Members' Data

The volume of personal data is low – fewer than 100 individuals. The sensitivity of the data is low: the most sensitive data being an e-mail address. The risk of data breach is small – primarily the accidental disclosure of names & e-mail addresses.
Overall impact: LOW

11.3 Supporters' & Enquirers' Data

The volume of personal data is low-moderate.
The sensitivity of the data is low: the most sensitive data being an e-mail address. The risk of data breach is small – primarily the accidental disclosure of names & e-mail addresses.
Overall impact: LOW

Under no circumstance will Adult Literacy Trust share with, sell or otherwise make available to Third Parties any personal data except where it is necessary and unavoidable to do so in pursuit of its charitable objects as authorised by the Data Controller.

Whenever possible, data subjects will be informed in advance of the necessity to share their personal data with a Third Party in pursuit of Adult Literacy Trust’s objects.

Before sharing personal data with a third party, Adult Literacy Trust will take reasonable steps to verify that the third party is, itself, compliant with the provisions of the UK GDPR and the DPA and confirmed in a written contract. The contract will specify that:

• Adult Literacy Trust is the owner of the data;
• The third party will hold and process all data shared with it exclusively as specified by the instructions of the Data Controller;
• The third party will not use the data for its own purposes;
• The third party will adopt prevailing industry standard best practice to ensure that the data are held securely and protected from theft, corruption or loss;
• The third party will be responsible for the consequences of any theft, breach, corruption or loss of Adult Literacy Trust’s data (including any fines or other penalties imposed by the Information Commissioner’s Office) unless such theft, breach, corruption or loss was a direct and unavoidable consequence of the third party complying with the data processing instructions of the Data Controller.
• The third party will not share the data, or the results of any analysis or other processing of the data with any other party without the explicit written permission of the Data Controller;
• The third party will securely delete all data that it holds on behalf of Adult Literacy Trust once the purpose of processing the data has been accomplished;
• Adult Literacy does not, and will not, transfer data outside of the EU.

In the event of any data breach coming to the attention of the Data Controller, the Trustees will make an assessment of whether the breach is one which the Data Controller is required to report under UK GDPR, and if so, immediately notify the Information Commission’s Office.

In the event that full details of the nature and consequences of the data breach are not immediately accessible (e.g., because Data Processors do not work on every normal weekday) the Trustees will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available.

Adult Literacy Trust will have a Privacy Policy and appropriate Privacy Notices which it will make available to everyone on whom it holds and processes personal data, in accordance with 5.1.

In the case of data obtained directly from the data subject, the Privacy Notice will be provided at the time the data are obtained.

In the case that the data are not obtained directly from the data subject, the Privacy Notice will be provided within a reasonable period of Adult Literacy Trust having obtained the data (within one month), or, if the data are used to communicate with the data subject, at the latest, when the first communication takes place; or if disclosure to another recipient is envisaged, at the latest, before the data are disclosed.